From 41cacd579fe5bab83c3394efcc6a2b27eabbc909 Mon Sep 17 00:00:00 2001
From: Sauyon Lee <sauyon@github.com>
Date: Thu, 18 Feb 2021 15:17:46 -0800
Subject: [PATCH] Model moved io/ioutil functions

---
 ql/src/semmle/go/frameworks/stdlib/Io.qll              |  8 ++++++++
 ql/src/semmle/go/frameworks/stdlib/Os.qll              | 10 ++++++++++
 .../semmle/go/frameworks/StdlibTaintFlow/Io.go         | 10 ++++++++++
 .../semmle/go/frameworks/StdlibTaintFlow/Os.go         |  7 ++++++-
 4 files changed, 34 insertions(+), 1 deletion(-)

diff --git a/ql/src/semmle/go/frameworks/stdlib/Io.qll b/ql/src/semmle/go/frameworks/stdlib/Io.qll
index 512098b8c1e..968f45dfe9b 100644
--- a/ql/src/semmle/go/frameworks/stdlib/Io.qll
+++ b/ql/src/semmle/go/frameworks/stdlib/Io.qll
@@ -61,6 +61,14 @@ module Io {
       // signature: func WriteString(w Writer, s string) (n int, err error)
       hasQualifiedName("io", "WriteString") and
       (inp.isParameter(1) and outp.isParameter(0))
+      or
+      // signature: func NopCloser(r io.Reader) io.ReadCloser
+      hasQualifiedName("io", "NopCloser") and
+      (inp.isParameter(0) and outp.isResult())
+      or
+      // signature: func ReadAll(r io.Reader) ([]byte, error)
+      hasQualifiedName("io", "ReadAll") and
+      (inp.isParameter(0) and outp.isResult(0))
     }
 
     override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
diff --git a/ql/src/semmle/go/frameworks/stdlib/Os.qll b/ql/src/semmle/go/frameworks/stdlib/Os.qll
index 3b2ea652e93..a5b94f3a471 100644
--- a/ql/src/semmle/go/frameworks/stdlib/Os.qll
+++ b/ql/src/semmle/go/frameworks/stdlib/Os.qll
@@ -55,6 +55,16 @@ module Os {
         fn = "Truncate" and pathidx = 0
         or
         fn = "DirFS" and pathidx = 0
+        or
+        fn = "ReadDir" and pathidx = 0
+        or
+        fn = "ReadFile" and pathidx = 0
+        or
+        fn = "MkdirTemp" and pathidx in [0 .. 1]
+        or
+        fn = "CreateTemp" and pathidx in [0 .. 1]
+        or
+        fn = "WriteFile" and pathidx = 0
       )
     }
 
diff --git a/ql/test/library-tests/semmle/go/frameworks/StdlibTaintFlow/Io.go b/ql/test/library-tests/semmle/go/frameworks/StdlibTaintFlow/Io.go
index e5bc3ca1cfd..d06e9b6d818 100644
--- a/ql/test/library-tests/semmle/go/frameworks/StdlibTaintFlow/Io.go
+++ b/ql/test/library-tests/semmle/go/frameworks/StdlibTaintFlow/Io.go
@@ -302,4 +302,14 @@ func RunAllTaints_Io() {
 		out := TaintStepTest_IoWriterToWriteTo_B0I0O0(source)
 		sink(24, out)
 	}
+	{
+		source := newSource(25).(io.Reader)
+		out := io.NopCloser(source)
+		sink(25, out)
+	}
+	{
+		source := newSource(26).(io.Reader)
+		out, _ := io.ReadAll(source)
+		sink(26, out)
+	}
 }
diff --git a/ql/test/library-tests/semmle/go/frameworks/StdlibTaintFlow/Os.go b/ql/test/library-tests/semmle/go/frameworks/StdlibTaintFlow/Os.go
index 9736cddfdc8..a930c2d435f 100644
--- a/ql/test/library-tests/semmle/go/frameworks/StdlibTaintFlow/Os.go
+++ b/ql/test/library-tests/semmle/go/frameworks/StdlibTaintFlow/Os.go
@@ -152,7 +152,7 @@ func RunAllTaints_Os() {
 }
 
 func fsAccesses() {
-	var path, path1 string
+	var path, path1, part string
 	var time time.Time
 	os.Chdir(path)                       // $fsaccess=path
 	os.Chmod(path, 0600)                 // $fsaccess=path
@@ -175,4 +175,9 @@ func fsAccesses() {
 	os.Symlink(path, path1)              // $fsaccess=path $fsaccess=path1
 	os.Truncate(path, 1000)              // $fsaccess=path
 	os.DirFS(path)                       // $fsaccess=path
+	os.ReadDir(path)                     // $fsaccess=path
+	os.ReadFile(path)                    // $fsaccess=path
+	os.MkdirTemp(path, part)             // $fsaccess=path $fsaccess=part
+	os.CreateTemp(path, part)            // $fsaccess=path $fsaccess=part
+	os.WriteFile(path, []byte{}, 0600)   // $fsaccess=path
 }